Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:53
Static task
static1
Behavioral task
behavioral1
Sample
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe
Resource
win10v2004-20241007-en
General
-
Target
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe
-
Size
2.6MB
-
MD5
de0b5782de12cab93f8325f9473888ee
-
SHA1
83b4ba6493642200f175d76bb53659eeedd6dba6
-
SHA256
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7
-
SHA512
21012aefb971bf05b5090f74375bb436d1294f227662efe661dededd5355d381f7f26195abc28db6f96b5d0dfbf27206aca5383b54c6111ffd225a3992f04341
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCzB/bSm:sxX7QnxrloE5dpUpfNb3
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevopti.exedevbodec.exepid Process 2016 ecdevopti.exe 1320 devbodec.exe -
Loads dropped DLL 2 IoCs
Processes:
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exepid Process 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8Q\\devbodec.exe" a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWE\\bodxloc.exe" a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exeecdevopti.exedevbodec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exeecdevopti.exedevbodec.exepid Process 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe 2016 ecdevopti.exe 1320 devbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exedescription pid Process procid_target PID 1796 wrote to memory of 2016 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 30 PID 1796 wrote to memory of 2016 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 30 PID 1796 wrote to memory of 2016 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 30 PID 1796 wrote to memory of 2016 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 30 PID 1796 wrote to memory of 1320 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 31 PID 1796 wrote to memory of 1320 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 31 PID 1796 wrote to memory of 1320 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 31 PID 1796 wrote to memory of 1320 1796 a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe"C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
-
C:\UserDot8Q\devbodec.exeC:\UserDot8Q\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5fc908d4feb76b3359bdcf5d2fcdab4a6
SHA1cb176e532916e63ffeca20ff1347e48e25a869d1
SHA25671ad0d29720f8cd577decd05bfe8afcc4d38954895873f6f7d799581e322b305
SHA5123ed8f5ceb0ddef5d4535d3bea254ce701679ad9a7e0bb77b3ff58001a735cf113138f65c1a5f167f3705fff6f432bef03628b7a33c75d651e2b83d8c2dd4312f
-
Filesize
2.6MB
MD564a7f49f5b5066cad879738fa461cbba
SHA1da40a4efb8861113438dbb64e2b9a9424063777f
SHA2569849455f6cc7cc7d6c5d7a4a0de8f2c40774ed6b0ebfd7a5b1820b0264303837
SHA512b2948c6873f7554e664d7e782c2bb9e32863fc94f8360c21242a861a09bdd09602be198f6ad1dc6278dcbb5ecd9cdc2db1a610c2175c199ba3b05648f9beaafb
-
Filesize
2.6MB
MD5bb608717f32d2778266ec4f5686271b5
SHA11a7b03186ab57417cba273e4bf48278f08954553
SHA256a860d08a8fdbbdb124eae6f71e703110cba5f62a9560836ef953f6ff7b8763b7
SHA512a0804185d4a8d996f2e1373a7abdb046742909154e310ef9d8976267ae5d66d3f8802e4c58987d96d4c74fd430bf6d84bdf5d55c7596162e7c4c6a15bfa9cc70
-
Filesize
173B
MD576cd0da93c16f75f54f87495e33bf14c
SHA16a60026f16c8399ac354edcc9a04c47a47147aa3
SHA2563f578b3c4a32112216e4ce6735c49c50d5fc184acdb3a4428dd82ba051e4bce9
SHA51260322a2b7ce6686aa89bc0e574e6a63bf1af4aec3806ca35f38db21c08f041aba9aa10621951f97c824b54b76477906b73d41e7726886378d664b5e691298c63
-
Filesize
205B
MD58747ff0a41173d9f1d778815e79ccd4c
SHA1086e66576a87a205ddfdc267b60df5fc46b6e4af
SHA2561f99f9f216a790637f6e71c178668752c34e118d8b8e149494c849a650392cc7
SHA51231066b0b57da75dec741f3bda11347af13617bf51b5718918423cdb721a040e09ead8c9426d9dd7c179324c581be4310bcb3299d5fd038775314b61a606adae4
-
Filesize
2.6MB
MD55e038e3b54da32e5c2fec052224d0cf8
SHA17dfadd45b28bf7d0ef16ac088443ea2c682a963e
SHA2561b3c438e3da10868f9517a5ae3badccc8df2d960b5af82f735a3926e6e302927
SHA512aa142f7ae58b64099fd54e58d90a251a10818b1603e2cacf09554876d7f8b0bfcc71024fe00bbf14b55574ac951cad4ca29a23adbe09a0f19a1944f3206f7026